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(54) Apparatus and method to provide security for a keypad processor of a transaction terminal 


(57) A secured processor for use with a plurality of 
data entry pons, comprising 

an actual polling circuit adapted to be coupled to the 
plurality of data entry ports for conducting actual 
polling, the actual polling circuit providing an actual 
polling signal for monitoring each of the plurality of 
data entry ports to determine whether data signals 
are being received, the actual polling circuit identi- 
fying the data entry ports receiving data signals and 
generating an output signal corresponding thereto. 

a false polling circuit adapted to be coupled to the 
plurality of data entry ports, the false polling circuit 
providing a false polling signal to the plurality of data 
entry ports for at least one of: (t) producing a lalse 
indication that a data signal is being received by at 
least one ol the plurality ol date entry ports and (ir) 
producing a false indication that actual polling of the 
plurality of data enlry pons is occurring . and 
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a data encoding circuit adapted to be coupled to the 
actual polling circuit, the data encoding circuit being 
responsive to a signal related to the actual polliing 
circuit output signal, the data encoding circuit en- 
coding a signal related to the data signals and gen- 
erating an encoded signal for transmission external 
to the secured processor 
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Description 

BACKGRDI I MP QF THF IMUcmt,^, 
Field of the Invention 

moJIf » PfeSenl inVen ' i0n re,ates ,0 an a PParatus and 
method or use with a transaction terminal, and more 
specifically loan electronic circuit that detects data entry 
on the keypad of a transaction terminal and inhibits the 
fraudulent acquisition of the entered data. 


Description of the RelatArt An 


Transaction terminals such as automatic teller ma- 

^ftp^ MS) eteC ' r0niC ' UndS ' rans,er at P° in « ol sale 
(EFTPOS) terminals and retail transaction terminals (. 
e^cred, card and debit machines) are becoming it 
creasmgiy common. Normally, a user inserts an identi- 
ica ion card having a magnetic stripe into a card reader 
to identify the use, and p.ovide data such as account 
nforma.,on Thereafter, in order to effectuate a Wansac- 

pL? T en ' erS 3 PerSOna ' ^'^.ion number 
(PIN) via a keypad. The combination of the P.N and the 
account information authorizes the store or bank that is- 
coun, ! "T* !° e " eC,Ua,e 3 Char 9 e gainst the ac- 
12Z Z anS ' er ' UndS ,0 ° r Uom the over's ac- 
count. The requirement of the PIN together with the ac- 
count ,n.orma.,on ensures the owner that the acquisition 
of e,.her „em alone by a thief will no . enable the thief to 
fraudulently transfer funds or charge the owner's ac- 

Transaction terminals have the disadvantage that it 

incal tapping connections to the card reader or keypad 

ilTZ S m T 0r '° m0ni, ° r a card ' s i^erted 
bv?kp! rd and ^ enacircui,connec,io "^made 
by a key depression (e.g., when PIN data is entered) I. 
s also possible lor an electronic eavesdropper to rnon 

! iSSi ° nS *** are ^.ed^en aTaTd 

s inserted m the card readerand when a circuit connec- 
t-on .s made by a key depression o, the keypad (eg 

nTort J T eavesdr0D P er «o oota,n account and P.N 
•nlorma.ionfrom.hetransact.on terminal and.ouse.ha. 
data to execute a fraudulent transaction. The above- 
men oned eavesdropping methods enable execu.ion of 
the l.audulen. transact™ by an unauthorised person 
without P hys,ca..y acqui.ing the bank card and without 
visually observing the user inputting the PIN. This type 
of fraudulent transaction costs banks, credit card com! 
pames. reta, merchants and consumers hundreds of 
millions of dollars each year. 

OBJECTS AND SUMMARY OP tuc rrmn „ 

or J,rti S r ere, ° re ^ ° bieC ' °' ,he P fesenl iw «"»on IO 
prov.de an appafalus and me|nod whjch subs|an|ja||y 
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whTki 80 f leC ' r0niC eavesdr °PP^ determining 
which keys of a transaction terminal Keypac; pressed 

,h IT ,ra " d " ,en,| V obtaining account information and 
the personal identification number (PIN) 

5 viJ'J 8 an0 ' her ° bieCt °' ,he present inver "ton to pro- 
vide an apparatus and method which can monitor a 
ransaction terminal keypad and identify actual data en- 

10 du J f 3 ""J" ° bieCt °' ,he presenl inven «on to pro- 
• l,na . Si9na,s,orm askingactualpollin 9 sig. 
nals used 10 monitor data entry ports 

It is yet another object of the present invention to 

It is a further object of the present invention to pro- 
wde an apparatus and method which reduces the like- 
l-hood of successful electronic eavesdropping by vay. 
;ng the duration of sampling signals utilized tosamp^a 
2 ° Iransaction terminal keypad. ^.npiea 

orovlLi 8 f" 3 ' Ur1her ° bieC ' °' ' he Present inve "tion to 
H Zt J " f PPafa,US and melhod reduces the 

hkehhood of successful electrons eavesdropping by 
varying an amount of time elapsed between sampling 
* signals utilized ,0 sample a transaction tormina, keypad 

or 0 v L'! 3 ' Ur,her ***** °' ,he Present inve "tion to 
i 3 ^^ PrOCeSSOf cou P ,ed t0 a transaction 
termmal wh.ch does not expose a PIN and associated 

30 Zm' ,n ' t ° rma,i0n ° btained ,r ° m « he '-nsactiont^ 
30 m.nal to external data lines without encryption 

J' al f an ob J' ect o' the present invention to over- 
come inherent disadvantages of known keypad trans- 
action terminal electronic circuits 

In accordance with one form of the present inven- 

tran^f "** " c « 

-n a transact™ terminal, includes an actual polling c.r- 

siJnl f 3 Ua ' P0 " in9 CirCUit ° enerates actual polling 
signals .0 monitor a plurality of data entry ports te g 

-o 1 II ° 3 da,a . en,ry keypad) '° de,e ™™ whether dat 
naf ZT "f'r^^^'^'^^ac.iontermi- 
nar The actual polhng circuit identifies the data entry 
ports actuated by. a user. y 
The secured processor also includes a false oollino 
crcuit adapted .0 be operahvely coup.ed ,0 the data T n 

signal to the data entry ports which triggers a false re 
sponse from .he data entry pons lor prc^ucingl fa.'e 
.ndicanon (,.e.. simulation) .0 an electronic eavesdrop 
so Z I ' S : mUlateS ,ha * da,a is bei "9 ^'^ed through 

ILvesd ,r, f a,i ° n 0 6 ' maSk ' n0 > «° an e.ectrL 
Tc^Z ? Z k 0 " maSkS ' hat aC ' Ual po,li "9 °' th « 
Sr^MnT ,S 9 COadUC '° d by ,h ° ac,ual P olli "9 
« Z Z I tolT ^ ^ ° ,eC ' r0niC eavesd '°PPer will no. 
S,s wht! ^T^Wk^aCualponingsig. 
P?rLT 9na ' S afe ' a,Se P 0 " 1 ^ siQ nals and when 
data ,s actually being entered through the data entry 
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The secured processor also includes a data encod- 
ing circuit operatively coupled to the actual polling cir- 
cuit. The data encoding circuit is responsive to the actual 
polling circuit, encodes the data signals provided 
through the data entry ports, and generates encoded 5 
data which is provided to an auxiliary processor via a 
data line for transmission to a central processor located 
outside the transaction terminal. 

The secured processor also includes a control cir- 
cuit operatively coupled to the actual polling circuit and io 
the false polling circuit for activating and deactivating 
the polling (i.e., sampling) operations performed by the 
actual and false polling circuits. 

According to another aspect of the present inven- 
tion, a method ot providing a secured transmission of *5 
actual data signals from a plurality ol data entry ports to 
a processor includes polling (i.e. , sampling) the data en- 
try pons to determine whether actual data signals have 
been provided thereto. The method also includes polling 
the dala entry ports to trigger a false response Irom the 20 
data entry ports which provides a false indication to sim- 
ulate that actual data signals have been provided there- 
to. Also a false indication is provided that polling of the 
dala entry ports is occurring in order to mask the actual 
polling. The method further includes encoding the actual 2$ 
data signals and transmitting the encoded data signals 
to a central processor located outside the transaction 
terminal. 

A preferred form of the apparatus and method to 
provide security for a keypad processor of a transaction 30 
terminal, as well as other embodiments, objects, fea- 
tures and advantages of this invention, will be apparent 
from the following detailed description of illustrative em- 
bodiments thereof, which is to be read in connection with 
the accompanying drawings. 35 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram ot the secured proces- 
sor coupled to a keypad, an auxiliary processor, inter- 
face circuit and card reader in accordance with the 
present invention. 

Figure 2A is a flow chart of steps performed to pro- 
vide security tor a keypad processor ol a transaction ter- 
minal in accordance with the present invention. 

Figure 2B is a flow chart ot steps performed in the 
unsecured mode ol obtaining PIN data from a keypad 
of a transaction terminal in accoidance with the present 
invention 

Figure 2C is a flow chart of steps performed for pro- 
viding actual polling of a transaction terminal in a se- 
cured mode in accordance with the present invention. 

Figure 2D is a flow chart of steps performed tor pro- 
viding false polling and simulated data entry of a trans- 
action terminal in a secured mode in accordance with 
the present invention 

Figure 2E is a flow chart of steps performed for en- 
crypting data and providing the encrypted data from the 


secured processor to a processor in a secured mode in 
accordance with the present invention. 

Figure 3A is a timing chart showing the generation 
of actual polling signals by the secured processor in ac- 
cordance with the present invention. 

Figure 3B is a timing chart showing the generation 
of actual and false polling signals and simulated data 
entry generated by the secured processor in a secured 
mode in accordance with the present invention. 

Figure 4 is a partially exploded perspective view of 
the secured processor encapsulated within a multi-layer 
circuit board in accordance with the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Referring to Figures 1 -4 of the drawings, a preferred 
form of the secured processor 2 constructed in accord- 
ance with the present invention will now be described. 
The secured processor 2 is preferably contained within 
a transaction terminal 4. Th.e secured processor is pref- 
erably coupled to a keypad 7 via transmission line 3. 
and to an auxiliary processor 6 via data lines 5. 23. The 
keypad 7 is utilized for data entry by and communication 
with a user (e.g., via an electronic ATM touch screen). 
The secured processor 2 is also operatively coupled to 
a card reader 8 via the auxiliary processor 6, interface 
circuits 9 and data line 5 as shown in Figure 1. Card 
reader 8 is adapted to accommodate insertion of a bank 
card, credit card or other suitable identification card In- 
terface circuit 9. as is known in the art, serves as the 
principal input/output interlace between the card reader 
8. auxiliary processor 6. central processor 21, and se- 
cured processor 2. Preferably, interface circuit 9 is an 
application specific integrated circuit (ASIC) particularly 
- r^^-Hto interface with the aforementioned circuits. 

The keypad 7 preferably includes a conventional 
keypad array having a plurality of keys. Each key pref- 
erably has a keyswitch 10 associated therewith. As is 
known in the art. the keyswitch provides an electrical 
connection between a specific row conduclor and col- 
umn conductor when a corresponding key is depressed. 
The keyswitches 10 of the keypad array are denoted in 
Figure. 1 as S1-S12. Although twelve keyswitches ar- 
ranged in three columns and four rows are shown, it is 
foreseen that alternate configurations of the keyswitch- 
es may be utilized. 

As is known in the art a keypad includes a plurality 
of horizontal conductors (H), each being associated with 
a specific row of keys, and a plurality of vertical conduc- 
tors (V). each being associated with a specific column 
ol keys Whenever a particular key of the keypad is ac- 
tuated, the corresponding keyswitch serves to electri- 
cally couple a row conduclor t H) associated with the row 
in which the selected key is situated, with a column con- 
ductor (V) associated with the column in which the se- 
lected key is situated As shown in Figure 1 . the vertical 
conductors associated wnh the three columns are des- 
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jgnated V1 , V2 and V3 respectively. The horizontal con- 
ductors associated with the four rows are designated 
H1. H2. H3and H4 respectively. 

In order to determine which key of the keypad has 
been depressed, the secured processor 2 preferably in- 
cludes a control circuit 12 and an actual polling circuit 
14. Secured processor 2 also includes a false polling 
circuit 16. The control circuit 12 is electrically coupled 
to both the actual polling circuit 14 and false polling cir- 
cuit 16. Actual polling circuit 14 samples (hereinafter, 
sampling, and polling will be used interchangeably) the 
keypad conductors to identify an actual key depression, 
and false polling circuit 1 6 performs false sampling (i.e., 
masking) and simulated data entry (i.e., simulation) of 
the keypad, as will be described in detail below. The con- 
trol circuit 12 monitors and regulates the keypad sam- 
pling performed by both actual polling circuit 14 and 
false polling circuit 16. 

The control circuit 12 preferably includes timers 1 8a 
(TIMERO)and 18b (TIMER 1) Timers 18a. 18b regulate 
the activation and deactivation of the sampling opera- 
tions performed by the actual and false polling circuits, 
respectively. Timers 18a and 18b preferably operate at 
substantially different frequencies. In the preferred em- 
bodiment and as will be described in more detail below, 
timer 18b operates at a substantially higher frequency 
than timer 18a so that a substantially greater number of 
false samples and false data entries are generated by 
the false polling circuit 16 than actual sampling signals 
generated by the actual polling circuit 14 The timers 
preferably operate concurrently and independently of 
each other By having the false polling circuit 1 6 operate 
concurrently with and generating substantially more 
samples than the actual polling circuit 14, the sampling 
signals generated by the actual polling circuit and the 
actual PIN data entries provided by a user through the* 
keypad are masked and not readily discernable to an 
electronic eavesdropper. As will be described in more 
detail, the control circuit 12 monitors overflows (i.e., in- 
terrupts) generated by the timers and instructs the ac- 
tual or false sampling circuit to perform its respective 
sampling operations when a timer overflow is detected. 

The actual polling circuit 14 employs an actual sam- 
pling operation (described below) which samples the 
columns and monitors the rows ol the keypad to ascer- 
tain the identity of a specific key depressed by the user. 
In contrast, the false polling circuit 16 employs an alter- 
nate (false) sampling operation (described below) which 
both creates false samplings of the keypad (to simulate 
the actual sampling operation) and a random simulation 
of key depressions so as loconf use an electronic eaves- 
dropper (to simulate the actual key depressions). 

The false sampling conducted by the lalso polling 
circuit 1 6 is designed to be indistinguishable, to an elec- 
tronic eavesdropper, from the actual sampling conduct- 
ed by the actual polling circuit 14. In order to effectuate 
the sampling operations, the actual polling circuit 14 and 
the false polling circuit 16 include respective signal gen- 


erators 1 3, 1 5. The signal generators 13, 15 respectively 
generate actual and false sampling signals of varying 
width (i.e.. duration) and at varying time intervals (de- 
scribed below) so that an electronic eavesdropper will 
5 be unable to detect a sampling pattern based on a signal 
width or time of transmission. The false polling circuit 16 
also preferably includes counter 1 7 and memory means 
29 for effectuating simulation of data entries (described 
below). 

In order to vary the duration that the sampling signal 
is applied (i.e., the duration of the pulse), the signal gen- 
erators 13, 15 apply the sampling signal to a selected 
conductor for a time period dictated by a random 
number (S in Step 63: T in Step 100; U in Step 102) 
selected by a random number generator (not shown) 
coupled to the signal generator (described below). The 
larger the random number, the longer the signal is ap- 
plied to the selected conductor. The varying time inter- 
vals between the sampling signals (i.e., time that each 
sampling signal is generated) that are provided by the 
signal generators 13, 15 to the conductors is also dic- 
tated by a random number (Y and Z in Steps 54-60 be- 
low) selected by a random number generator (not 
shown) and a timer (TIMER 0 and TIMER 1 ) coupled to 
the signal generator (described below). 

As will be described in more detail, actual and false 
polling circuits 14 : 16 concurrently operate and alter- 
nately sample the conductors of the keypad. However, 
because timer 18b is operating at a substantially higher 
frequency than timer 18a, a substantially greater 
number of false samples are generated than actual 
samples. For example, the actual polling circuit may 
sample the keypad once. Then, the false polling circuit 
will sample the keypad for ten (10) consecutive times, 
whereupon sampling is performed by the actual polling 
r ; '~; : * :?ce, then the false polling circuit will sample the 
keypad for seven (7) consecutive times. This random 
actual and false sampling scheme will be described in 
more detail below. 

In a preferred embodiment of the invention, the se- 
cured processor 2 also preferably includes a memory 
circuit 20 electrically coupled to the actual polling circuit 
14. The memory circuit 20 receives and stores the iden- 
tification ol each key actuated by a user (i.e., PIN data) 
that is provided by the actual polling circuit 14. The 
memory circuit 20 preferably stores the PIN data until 
the processor 6 determines that all of the PIN data has 
been entered and identified. 

The secured piocessor 2 also includes a data en- 
coding circuit 22 operative ly coupled to the memory cir- 
cuit 20. The data encoding circuit 22 prelerably receives 
the PIN data from the memory circuit 20, encrypts the 
data and sends the encrypted data via data line 5 to aux- 
iliary processor 6 for processing and eventual transmis- 
sion via data line 25 to a central processor 21 . 

In an alternative form of the invention, the memory 
circuit 20 may also receive and store account informa- 
tion provided by the card reader 8 and processor 6 via 
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data lines 5. The memory circuit stores the account in- 
formation with the PIN data until it is determined that ail 
of the PIN data is received. Thereafter, the PIN data to- 
gether with the account information is encrypted and 
sent via data line 5 to auxiliary processor 6 wherein the 
encrypted data is sent to central processor 21 . It is ad- 
vantageous to encrypt the account information before 
transmission from the secured processor 2 to the central 
processor 21 so that a potential electronic eavesdropper 
will not be able to identify any information included in 
the transmission. 

In the preferred embodiment of the invention, the 
secured processor 2 t which includes at least the control 
circuit 12, actual polling circuit 14, false polling circuit 
16, memory circuit 20 and data encoding circuit 22, is a 
microprocessor. A suitable microprocessor which may 
be used is Part No. 67C51 RA manutactured by the Intel 
Corporation, or Part No. 87C524 manufactured by the 
Phillips Corporation. Each microprocessor contains at 
least 8K bytes of ROM and 512 bytes of internal RAM. 
Other microprocessors may be suitable, but the afore- 
mentioned microprocessors are preferred because of 
their relatively low cost. 

The auxiliary processor 6 may be any general sys- 
tem controller as known in the art. Preferably, auxiliary 
processor 6 is a CMOS microprocessor having a 16-bit 
internal architecture; 8 bit external data bus and 20 ad- 
dress lines. The CMOS microprocessor is capable of 
operating at 16 MHz, but preferably operates at 9MHz 
The instruction set of the auxiliary processor 6 is a su- 
perset of the 8086/8088 processors. Other suitable 
processors may be utilized. 

Having described the circuit configuration of the se- 
cured processor 2, the operation of the apparatus will 
now be described. Each step of the method of operation 
of the secured processor is controlled by a master clock 
(not shown) unless otherwise specified. 

Referring now to Figure 2 A. a flow chart of the steps 
performed to provide security for transmission ol data 
Irom a keypad of a transaction terminal to a central proc- 
essor 21 is shown. In a preferred embodiment of the in- 
vention and as known in the art, the transaction terminal 
4 is activated by the insertion of a bank card, charge 
card, identification card or the like into the card reader 
8 (Fig. 1). The activation of the transaction terminal is 
detected (Step 30) by the auxiliary processor 6 which 
receives an indication ol insertion of the card from the 
card leader 8 via interlace circuit 9. (Fig. 1 ). 

Upon detection of the activation of the tiansaction 
terminal 4 (Step 30). the auxiliary processor 6 deter- 
mines whether the secured processor 2 will poll (i.e.. 
sample) the keypad in a secured or unsecured mode 
(Step 32). This determination is based upon the type of 
transaction to take place. Unsecured polling usually is 
selected when there is no threat ol an electronic eaves- 
dropper acquiring the PIN data or when secret informa- 
tion ts not to be entered through ihe keypad For exam- 
ple, if the user is only lo receive inlormalion. such as 


stock quotations or current interest rates, there may be 
no need to enter a secured mode. However, if a with- 
drawal, transfer of funds or other charge against an ac- 
count is to take place wherein a PIN is to be entered, 
s then a secured mode may be preferred. Secured polling 
is typically selected when there is a risk of unauthorized 
electronic monitoring of the keypad or when secret in- 
formation is to be entered. If the auxiliary processor 6 
determines that unsecured polling will take place, the 
method continues as shown in Figure 2B. However, if 
secured polling is to occur, the method continues as 
shown in Figures 2A, 2C and 2D. 

Referring now to Figures 2A and 2B, if unsecured 
polling is to occur (UNSECURED in STEP 32), the aux- 
iliary processor 6 instructs the control circuit 12 to acti- 
vate the actual polling circuit 14 (Step 34). The actual 
polling circuit 14 then begins sampling. Specifically, the 
TIMER 0 (18a) is loaded with an initial predetermined 
fixed value X (Step 36). The value X is used by the timer 
lo determine how frequently the actual polling circuit will 
sample the keypad. In one embodiment of the invention, 
X is chosen such that the keypad is sampled by the ac- 
tual polling circuit every 10 msec. 

TIMER 0 is activated (Step 38) by control circuit 12 
and increments its internal value. TIMER 0 is monitored 
to determine whether its incremented internal value is 
greater than the predetermined fixed value X t i.e., 
whether TIMER 0 has an overflow (Step 40). If the an- 
swer is NO to Step 40, TIMER 0 continues to operate 
until the incremented internal value of TIMER 0 is great- 
er than X. 

When TIMER 0 has an overflow (YES in Step 40). 
a column of the keypad is selected for sampling (Step 
42). In the unsecured mode, columns are preferably se- 
quentially selected (e.g., from a table) so that each col- 
umn is substantially sampled an equal number of times. 
For example, column 1 (i.e., conductor V1) will be se- 
lected during the first sampling, column 2 (i.e.. conduc- 
tor V2) will be selected during the second sampling and 
so forth. Once all of the columns have been sampled, 
the order of selection is repeated. While in the preferred 
embodiment columns are selected lor sampling, it is 
foreseen that rows may be sampled (i.e., polled) instead 
ol columns. 

Once a column has been selected, the actual poll- 
ing circuit 14 utilizes the signal generator 13 contained 
therein to generate a signal (i.e.. a pulse) which is trans- 
mitted along the selected vertical conductor (Step 44). 
While in the preferred embodiment pulse signals aie 
transmitted for sampling, the use of other types of sam- 
pling waveforms is foreseen. 

Contemporaneous lo transmitting the signal along 
the vertical conductor (for example V2) corresponding 
to the selected column, the actual polling circuit 14 si- 
multaneously monitors the horizontal conductors (HI. 
H2. H3 and H4) associated with alt of Ihe rows (Step 
46) Specifically the actual polling circuit 1 4 monitors all 
of the horizontal conductors m parallel todelermme Ihe 
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presence of an electrical signal coincident with the sig- 
nal transmitted on the selected vertical conductor. If any 
of the horizontal conductors has a signal transmitted 
thereon which is coincident with the signal transmitted 
on the selected vertical conductor, then that particular 
conductor is identified (for example H2). The key de- 
fined by the row and column corresponding to conduc- 
tors H2 and V2, respectively is noted as having been 
selected by the user (Step 48). If none of the horizontal 
conductors are determined as being coupled to the se- 
lected vertical conductor, (NO in Step 48). then TIMER 
0 is reloaded with the predetermined fixed sampling val- 
ue X (Step 36) and the timer is once again activated 
(Step 38). 

If it is determined that a row is connected to the sam- 
pled column (YES in Step 48), then the selected column 
and detected row are noted and the row and column 
combination information is provided directly to auxiliary 
processor 6 (Step 50) via data line 23. Alternatively, the 
PIN data is stored in memory circuit 20 before being pro- 
vided to auxiliary processor 6. The auxiliary processor 
6 then determines whether all of the PIN data has been 
received (Step 52). If all of the PIN information has been 
received and/or detected (YES in Step 52), operation of 
the actual polling circuit 14 is temporarily suspended by 
the control circuit 12 until it is once again activated by 
insertion of an identification card in the card reader 8 
(Step 53). If the processor 6 determines that all of the 
PIN data has not been received and/or detected (NO in 
Step 52). TIMER 0 is reloaded with the predetermined 
lixed sampling value X (Step 36) and TIMER 0 is once 
again activated (Step 38). Thereafter, the sampling 
process shown in Fig. 2B is repeated until the processor 
6 determines that all PIN data has been received (YES 
in Step 52) 

Referring again to Fig. 2A, it the secured processor 
2 is to operate in a secured mode because secret infor- 
mation (e.g.. PIN data) is to be entered or if there is a 
threat o! electronic eavesdropping (SECURED in Step 
32). the actual polling circuit 14 and the false polling cir- 
cuit 1 6 are activated (Step 33). and TIMER 0 and TIMER 
1 are loaded with randomly generated values Y, Z re- 
spectively (Step 54). Thereafter, TIMER 0 and TIMER 1 
are activated and operating (Step 56). Preferably, ran- 
dom value Y is substantially larger than random value 
Z so that the TIMER 1 will overflow more often than TIM- 
ER 0. Therefore, even if TIMER 0 and TIMER 1 are op- 
erating at the same frequency, the false polling circuit 
16 will sample the keypad substantially more times than 
the actual polling circuit 14. 

The secured processor 2 monitors TIMER 0 and 
TIMER 1 to determine when a timer has an overflow. 
Initially. TIMER 0 is checked to dclcrminc whether there 
has been an overflow, i.e.. whether the value of TIMER 

0 is greater than random value Y (Step 56). II TIMER 0 
does not have an overflow (NO in Step 58). then TIMER 

1 is checked to determine if there has been an overflow, 
t e . whether the value of TIMER 1 is greater than ran- 


dom value Z (Step 60). If there has not been an overflow 
of TIMER 1 (NO to Step 60), the method returns to Step 
56 wherein TIMER 0 and TIMER 1 are operating. This 
loop is continued until either TIMER 0 or TIMER 1 has 

5 an overflow. In one embodiment of the invention : TIMER 
0 overflows (i.e., a new random column is selected for 
sampling by the actual polling circuit) every 8-1 2 msec 
and TIMER 1 overflows (i.e.. a new random column is 
selected for sampling by the false polling circuit) every . 

10 5-1 .5 msec. However, it is foreseen that other sampling 
rates may be employed. 

If TIMER 0 has an overflow (YES in Step 58), then 
the method continues as shown in Figure 2C. However, 
if TIMER 1 is determined as having an overflow (YES in 

?5 Step 60), then the method continues as shown in Figure 
2D. 

Referring now to Figure 2C, if an overflow of TIMER 
0 is determined (YES is Step 56), the actual polling cir- 
cuit 1 4 selects a random column for actual sampling 

20 (Step 62). Specifically, using a random number gener- 
ation method such as that disclosed on page 1 99 of the 
book entitled "Digital Computing and Numerical Meth- 
ods", by Brice Carnaham and James O. Wilkes, pub- 
lished by John Wiley and Sons, Inc. (1973), which is in- 

2S corporatcd heroin by reference, the actual polling circuit 
14 selects a random column (i.e., vertical conductor V) 
for sampling. While a random number generation meth- 
od is disclosed in the above reference, other methods 
of selecting a random column for sampling may be em- 

30 ployed 

While in the preferred embodiment the column is 
randomly selected, it is foreseen that columns may be 
sampled sequentially (as explained above in connection 
with unsecured sampling) and that rows may be sam- 

35 pled (i.e., polled) instead of columns. However, when 
potential eavesdropping is a concern, it is preferable to 
use a random selection of columns (or rows) to insure 
that an electronic eavesdropper will be unable to differ- 
entiate the actual sampling from false sampling as will 

40 be explained below 

Referring still to Figure 2C, the actual polling circuit 
14 selects one of the first, second and third columns re- 
spectively designated by vertical conductors V1 V2 and 
V3 (Fig. 1) tor sampling. Thereafter, a random number 

45 s is generated The random number determines the du- 
ration of the sampling signal. The actual polling circuit 
14 utilizing the signal generator 13 contained therein, 
then generates a signal which is transmitted along the 
selected vertical conductor (Step 64) for the duration (i. 

so e. , clock cycles) indicated by the random number select- 
ed in Step 63 Referring to Figure 3A, if Column 2 (des- 
ignated by vertical conductor V2) is selected as the ran- 
dom column during time frame t v the pulsed signal will 
be transmitted by the signal generator of actual polling 

55 circuit 1 4 along conductor V2 While in the preferred em- 
bodiment pulsed signals are transmitted for sampling, 
the use of other types of waveforms is foreseen In yet 
another embodiment of fhe invention, the pulsed signals 
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generated by the signal generator and transmitted by 
the actual polling circuit during each sampling cycle ran- 
domly vary in width (i.e.. duration) as will be explained 
in more detail below, so that an electronic eavesdropper 
will be unable to detect a sampling pattern. 5 

Contemporaneous to transmitting the pulsed signal 
along conductor V2 ; the actual polling circuit 14 moni- 
tors the horizontal conductors (H1 , H2, H3 and H4) as- 
sociated with all of the rows (Step 66). Specifically, the 
actual polling circuit 14 monitors all of the horizontal con- 10 
ductors in parallel, to determine the presence of an elec- 
trical signal. If none of the horizontal conductors has an 
electrical signal (i.e., no row is electrically coupled to the 
selected column), then a key of the keypad has not been 
depressed (NO in Step 68). Therefore, TIMER 0 is re- is 
loaded with a new random value Y (Step 70). The TIM- 
ER 0 is once again operating (Step 56), and is monitored 
for another overflow (Step 58). If a horizontal conductor 
(H) is detected as having a signal which is coincident 
with the signal transmitted on the selected vertical con- 20 
ductor (V) (YES in Step 68). then the key defined by the 
detected row and selected column is noted as having 
been activated by the user. The row/column combina- 
tion is then stored in memory circuit 20 (Step 72). For 
example and referring to Fig. 3A wherein time periods 2S 
1,-1,5 are shown, if horizontal conductor H2 is detected 
as having the pulsed signal transmitted thereon, then 
row 2 is determined as being connected with column 2. 
This is shown during the time period t ir As shown in 
Figure 1. the determination of the connection of row 2 30 
and column 2 is indicative of the actuation of keyswitch 
S5 of the keypad 

The keyswitch information (i.e.. row and column 
combination) is preferably provided by the actual polling 
circuit 14 to the memory circuit 20 (Step 72) and is tern- 35 
porarily stored in the memory circuit 20 (Fig. 1 ). There- 
after, an internal timer (not shown in Fig. 1) or other 
means is activated to create a random time (Step 74) 
delay in the further operation ol the actual polling circuit 
1 4 and the execution ol the method of Fig. 2C. Then, a -*o 
signal is provided to the secured processor 6 via data 
line 5 (Step 76). The signal is designed to provide an 
indication to the processor 6 that a key has been actu- 
ated (i.e., that a row/column combination has been de- 
tected). Contrary to Step 50 in connection with unse- ^5 
cured polling shown in Fig. 2B, Step 76 does not send 
the actual row/column information to auxiliary processor 
6. Instead, a signal is sent to inform auxiliary processor 
6 that an actual row/colurnn combination corresponding 
to key depression has been identified. Based upon the so 
number of such signals received, the auxiliary processor 
6 determines whether atl of the PIN data has been re- 
ceived through the keypad (Step 78). If all of the PIN 
data has not been received (NO in Step 78). then the 
TIMER 0 is reloaded with a new random value Y (Step ss 
70). the TIMER 0 operates (Step 56). and is monitored 
tor the next overflow (Step 58) However if the proces- 
sor determines that all of the PIN data has been received 


(YES in Step 78). the method continues as shown in Fig. 
2E which will be described. 

Referring to Figures 2A and 2D, if TIMER 1 (corre- 
sponding to the false polling circuit 1 6) is determined as 
not having an overflow (NO in Step 60). the method re- 
turns to Step 56 wherein TIMER 0 and TIMER 1 contin- 
ue to operate. However, if TIMER 1 is detected as hav- 
ing an overflow (YES in Step 60). a determination is 
made as to whether the false polling method is currently 
in a simulation mode (Step 82). Specifically, the secured 
processor determines whether a flag has been set (per 
Step 92, as discussed below) indicating that the simu- 
lation mode has been entered. The simulation mode is 
designed to provide a false indication that a data entry 
has been made on the keypad (i.e., simulating a key de- 
pression) to confuse an electronic eavesdropper. Spe- 
cifically, coincident signals are sent to both a row con- 
ductor (H) and column conductor (V) of the keypad. 

If the false polling circuit 16 is not currently in sim- 
ulation mode, i.e., the simulation flag has not been set 
(NO in Step 82), then false sampling of the keypad takes 
place wherein a random number Q is generated using 
a random number generation method as previously de- 
scribed. The false sampling is designed to mask the ac- 
tual sampling signals generated by the actual polling cir- 
cuit. The random number Q is compared to a predeter- 
mined number R (Step 84). If the random number Q is 
not equivalent to the predetermined number R (NO in 
Step 86), then the simulation mode is not initiated, i.e., 
the simulation flag is not set Therefore, a random col- 
umn is selected for false sampling (Step 90) as de- 
scribed above in connection with Step 62 of the actual 
polling circuit. However, if the randomly generated 
number Q is equal to the predetermined number R (YES 
in Step 86), a simulation flag is set. a simulation counter 
17 (see Fig. 1) is activated, and a random column and 
row combination are selected and stored in memory 29 
(Step 92). The selected row and column combination 
will be used in the simulation mode such that if a random 
column selected in Step 94 coincides with the column 
of the row/column combination selected in Step 92. then 
a random row will not be selected and the row chosen 
in Step 92 will be used for simulation as will be de- 
scribed in more detail below. 

Alter the method determines that the simulation 
mode is not to be commenced (NO in Step 86). a ran- 
dom column is selected (Step 90) using a random se- 
lection process. Thereafter, a random row is selected 
(Step 95) using a random selection piocess substantial- 
ly similar to the selection ol the random column. Then, 
a random determination is made (as explained below) 
as to whether the randomly selected row is to have a 
signal provided thereon to confuse an electronic eaves- 
dropper (Step 98). If the randomly selected row is to be 
used. (YES in Step 98). a random number J is selected 
and signals are provided by signal generator 15 of the 
lalse polling circuit 16 on both the randomly selected col- 
umn and row (Step 100) lor the duration indicated by 
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random number T. However, if the randomly selected 
row is not to have a signal transmitted thereon, then a 
random number U is selected and a signal is only pro- 
vided on the conductor of the randomly selected column 
(Step 1 02) for the duration indicated by random number 5 
U. 

The determination made by Step 98 of whether the 
randomly selected row is to be falsely connected to the 
selected column may be accomplished by any known 
method wherein two alternative outcomes are possible, to 
One suitable method utilizes a random number gener- 
ator wherein one outcome (i.e., the row is to be falsely 
connected) is associated with the generation of an odd 
random number and a second outcome (i.e., the row is 
not be falsely connected) is associated with the gener- is 
ation of an even random number. Other suitable meth- 
ods may be employed. A random decision process is 
used so that an electronic eavesdropper will be unable 
to delect a decision-making pattern with respect to Step 
98. 20 

The following explanation returns to Step 86 when 
its determination results in a YES output. After the sim- 
ulation counter is started and a random row/column 
combination has been selected and stored in Step 92, 
and a random column is selected in Step 94, a dctcrmi- 25 
nation is made (Step 104) as to whether the randomly 
selected column (from Step 94) is the same as the col- 
umn of the row/column combination selected in Step 92 
and stored in memory 29. If the column selected in Step 
94 is not the same as the column of the row/column com- 30 
bination selected in Step 92 (NO in Step 104), then a 
random row is selected (Step 96). Thereafter, the afore- 
mentioned random determination is made as to whether 
the randomly generated row will have a signal provided 
thereon (Step 98). If the row is not to have a signaf pro- 35 
vided thereon (NO in step 98), then only a signal is pro- 
vided on the selected column conductor to perform false 
sampling (Step 102). However, as previously men- 
tioned, if the randomly generated row is to include a sig- 
nal thereon (YES in Step 98), then the column selected -to 
in Step 94 and the row selected in Step 96 each have a 
signal provided thereon. The signals may or may not be 
coincident, and may vary in duration, start time and/or 
end time (Step 100) By providing the pulsed signal on 
the conductors of both the randomly selected column «*5 
and row it will mask the actual sampling signals and, if 
coincident, simulate actual key entries being made. This 
will confuse an eleclronic. eavesdropper because ran- 
dom signals (i.e. noise) are being transmitted on the 
row conductors. so 

If it is determined that the method is currently in a 
simulation mode to simulate actuation of a keypad (YES 
in Slop 94). and that the randomly selected column from 
Step 94 coincides with the column selected in Step 92 
(YES in Step 104). the row which was Selected in Step 5S 
92 is obtained from memory 29 (Step 106) and the con- 
ductors corresponding to the row/column combination 
selected in Step 92 are provided with coincident pulsed 


signals to simulate a keypad entry. From detection of 
the pulsed signal on the conductors of both the column 
and row combination selected in Step 92 each time the 
column selected in Step 94 coincides with the column 
selected in Step 92 during the simulation mode, it will 
appear to an eleclronic eavesdropper that actual sam- 
pling and data entry (i.e., actuation of a key of the key- 
pad) is occurring. After signals are transmitted on the 
row and column conductors (Step 100) or only on the 
column conductor (Step 102), TIMER 1 is reloaded with 
a new randomly selected value Z (Step 105) and the 
method returns to Step 56 wherein TIMER 0 and TIMER 
1 are operating (Fig. 2 A). 

If after TIMER 1 is detected as having an overflow 
(YES in Step 60) it is determined (i.e., a simulation flag 
has previously been set in Step 92) that the method is 
currently in simulation mode (YES in Step 82), the spe- 
cial simulation counter 17 which was activated in step 
92 is incremented (Step 108). Then, the simulation 
counter 17 is monitored lo determine whether an over- 
flow has occurred (Step 11Q). If an overflow of simulation 
counter 17, which is indicative of the end of the simula- 
tion mode, is delected (YES in Step 110), memory 29 
which stores the column/row combination selected in 
Step 92 is cleared (Step 114)and the method continues 
with Step 84 wherein a random number Q is generated 
and compared to the predetermined value R to deter- 
mine whether the simulation mode should be entered (i. 
e., restarted). Preferably, both the predetermined 
number R and the randomly generated number Q of 
Step 84 are four bit numbers such that there is a 1 in 
128 probability that the simulation mode will be entered 
during each pass of Step 84. Preferably, the simulation 
counter is set to overflow after 1 28 cycles. However, oth- 
er probabilities of entering the simulation mode and oth- 
er simulation counter overflows are foreseen. 

If it is determined there has not been an overflow of 
the simulation counter 17 (NO in Step 110), the method 
continues with the selection of the random column in 
Step 94 and the determination as to whether the random 
column selected in Step 94 is the same as the column 
selected in Step 92 as previously described 

Referring now lo Figures 2A, 2C and 2E, once the 
auxiliary processor 5 determines that all of the PIN data 
has been identified and recerved (YES in Step 78), the 
auxiliary processor 6 sends a command to the control 
circuit 12 of the secured processor 2 to cease operation 
and polling of the keypad (Step 112). This effectively 
suspends operation of the actual and false polling cir- 
cuits. Thereafter, the auxiliary processor 6 sends a com- 
mand signal via data line 23 to the control circuit 12 lo 
transfer the PIN data from memory circuit 20 to the data 
encoding circuit 22. The command signal also instructs 
the control circuit* to command the dala encoding circuit 
22 to encrypt the PIN data (Step 114) After the PIN data 
has been encrypted, the data encoding circuit 22 sends 
the encrypted data to the auxiliary processor 6 (Step 
116) Since the data is encrypted before it is provided 
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on data bus 5 and to central processor 21 , the PIN data 
is not easily discernable to eavesdroppers who may be 
monitoring those data lines. 

After transmission of the PIN data to the central 
processor 21 , the auxiliary processor 6 may instruct the 5 
secured processor 2 to either go into the normal unse- 
cured mode of keypad sampling (See Fig. 2B) or to stop 
sampling the keypad altogether and wait for and detect 
the next activation of the transaction terminal by a user 
(e.g., insertion of an identification card into the card to 
reader, Step 30). 

The data encoding circuit 22 preferably encrypts the 
PIN data in accordance with an encryption technique 
specified by the American National Standards Institute 
of New York as known in the art. Other encoding and is 
encryption methods may be utilized without departing 
from the scope ol the invention. The present invention 
is designed such that once the PIN data is identified and 
acquired by the secured processor 2, it is encrypted 
within the secured processor itself. In this way unen- 20 
crypted PIN data is not exposed to external data lines 
(i.e., data bus 5 and 25 in Fig. 1) which would be sus- 
ceptible to electronic eavesdropping. 

Referring now to Figure 3B, a timing chart showing 
the generation of pulse signals by the actual and false 2S 
polling circuits in accordance with the present invention 
is shown. Figure 3B shows 23 time frames (t,-t 23 > of var- 
ying duration and occurrence. Actual sampling is con- 
ducted by the actual polling circuit 1 4 during time frames 
l.,andt 17 False samples and simulated data entry occur 30 
during all other time frames. As is evident from Fig. 3B. 
without knowing when sampling is being conducted by 
the actual polling circuit, an electronic eavesdropper is 
not likely to determine during which time period(s) PIN 
data is being entered. For example, during time periods 35 
h J s x ^s■ *)7- and W various row and column com- 
binations are shown as having coincident signals. How- 
ever, only during time t l7 . during which time actual sam- 
pling is being conducted by the actual polling circuit is 
a key of the keypad detected as being depressed by a -to 
user. As is evident from Figure 3B. an electronic eaves- 
dropper cannot readily discern which signals are actual 
samples and which samples are false samples. Figure 
3B clearly shows the benefit ot the present invention and 
its ability to mask actual samples and simulate key de- J 5 
pressions with a plurality of false samples and simulated 
data entries. 

In order to substantially prevent unauthorized ac- 
cess to the unencrypted PIN and account information, 
the configuration of the present invention includes sub- so 
slantialty less hardware than olher designs which re- 
quire a substantial physical barrier (i.e.. a device which 
docs not permit physical access to electronic circuits, 
and their I/O lines). As previously described, the present 
invention accomplishes this by encrypting the PIN data 55 
within the secured processor. Physical barriers to. pre- 
vent access to PIN data do not yield the level of security 
thai masking, simulation and encryption within the se- 


cured processor is able to provide. 

The present invention includes additional features 
to prevent the unauthorized access to a user's PIN and 
account information. Referring again to Fig. 1 of the 
drawings, the data entry keypad system 1 which in- 
cludes at least the secured processor 2 within transac- 
tion terminal 4, also includes an anti-tampering switch 
24 operably coupled between a power supply V BATT and 
each ot the circuits contained within the secured proc- 
essor 2. The anti-tampering switch 24 is designed to de- 
tect and defeat the physical tampering of the secured 
processor. In a preferred embodiment, the anti-tamper- 
ing switch is a normally open switch which is forced 
closed when shutting a cover of a case (not shown) in 
which the secured processor 2 is contained. As a result, 
if the case is opened by an unauthorized person, the 
switch 24 will change Irom a closed to an open state, 
thereby interrupting the connection to the power supply 
and breaking the supply of power 1o the secured proc- 
essor. Since each circuit of the secured processor re- 
quires power to maintain itsrnemory (i.e., execution pro- 
grams stored in ROM. data stored in RAM, etc.) the sev- 
erance of the power supply will cause the erasure of ail 
of the contents of the processor This includes encryp- 
tion code stored in the data encoding circuit 22 and the 
sampling operations performed by the actual and false 
polling circuits 14, 16. Therefore, opening the case and 
removing the secured processor will render the secured 
processor unusable. Any circuit analysis of the secured 
processor by an unauthorized person will not compro- 
mise the method. 

As a further security measure, the secured proces- 
sor 2 is preferably attached and encapsulated in a mul- 
tilayer circuit board 1 20 as shown in Figure 4 More spe- 
cifically, the secured processor is contained on circuit 
board substrate 122 and is encapsulated by circuit 
board substrates 124 and 1 26. In the preferred embod- 
iment, all of the circuitry of the keypad and the secured 
processor, with the exception of the keypad itself, is con- 
tained on circuit board substrate 1 22 (i.e., an interior lay- 
er ot multilayer circuit board 120). In addition, electrical 
connections between circuit board substrates 124 and 
126 and the secured processor 2, for connection to var- 
ious interlace circuits such as ASIC's and microproces- 
sors, preferably utilize blind vias 128 which hide con- 
nections 130 within the interior of the multilayer circuit 
board. As a result ol the positioning of the secured proc- 
essor 2 within multilayer circuit board 120. any attempt 
to physically access the secured processoi 2 would nec- 
essarily result in destruction of the circuit board sub- 
strates 124. 126 and inoperability of the secured proc- 
essor. 

In an alternative embodiment of the invention and 
as a further security measure, steps 112, 114 and 116 
are modified as follows When the processor determines 
that all of the PIN data has been received and identified 
by the actual polling circuit 1 4. the PIN data is preferably 
not immediately provided to the processor 6 Instead. 
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rather than executing Step 112, a random time delay 
may be executed wherein sampling of the keypad con- 
tinues while data encryption occurs with Step 1 1 4. Then, 
Step 116 is executed not only when encryption is com- 
plete but when the random time delay expires. In this 
way, an electronic eavesdropper will be unable to iden- 
tify the actual polling circuit signals based on a consist- 
ent relationship between the time that the actual polling 
circuit ceases operation and the time that encrypted da- 
ta is provided to processor 6. 

As a result of the present invention, the PIN data 
provided to a transaction terminal by a user is protected 
Irom electronic eavesdropping by encrypting the PIN 
data betore the data is provided on external data lines 
to the processor. The keypad processor security appa- 
ratus utilizes both actual and false polling of the keypad, 
in addition to the generation of false keypad actuation 
to prevent an electronic eavesdropper from fraudulently 
accessing PIN data. 

Although illustrative embodiments of the present in- 
vention have been described herein with reference to 
the accompanying drawings, it is understood that the in- 
vention is not limited to those precise embodiments, and 
that various other changes and modifications may be 
effected therein by one skilled in the art without depart- 
ing from the scope or spirit of the invention. For example, 
one timer can be utilized in the control circuit 12 as op- 
posed to timers 18a and 18b. Also, the operation of the 
system need not begin with actuation of the actual poll- 
ing circuit, but instead, the false polling circuit could be 
activated first. These and all such other modifications 
are intended to fall within the scope of the present in- 
vention as defined by the following claims. 
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false indication that actual polling of the plural- 
ity of data entry ports is occurring; and 
a data encoding circuit adapted to be operative- 
ly coupled to the actual polling circuit, the data 
encoding circuit being responsive to a signal re- 
lated to the actual polling circuit output signal, 
the data encoding circuit encoding a signal re- 
lated to the data signals and generating an en- 
coded signal for transmission external to the 
secured processor. 

2. The secured processor as defined by claim 1 
wherein the plurality of data entry ports corresponds 
to a keypad having a plurality of keys, and wherein 
the false indication that data is being received by at 
least one of the plurality of data entry ports corre- 
sponds to a simulation that at least one of the plu- 
rality of keys of the keypad is being activated. 

3. The secured processor as defined by claim 1 
wherein the false indication that actual polling of the 
plurality of data entry ports is occurring corresponds 
to a masking of the actual polling signal provided by 
the actual polling circuit. 

4. The secured processor as defined by claim 1 
wherein the secured processor comprises a micro- 
processor. 


30 S. The secured processor as defined by claim 1 
wherein the actual polling circuit, false polling circuit 
and data encoding circuit are contained within a sin- 
gle electronic chip. 


2S 


Claims 


1. 


A secured processor for use with a plurality of data 
entry ports which receive data signals, the secured 
processor comprising: 

an actual polling circuit adapted to be opera- 
tively coupled to the plurality of data entry ports 
for conducting actual polling, the actual polling 
circuit providing an actual polling signal for 
monitoring each of the plurality of data entry 
ports to determine whether data signals are be- 
ing received, the actual polling circuit identify- 
ing the data entry ports leceiving data signals 
and generating an output signal corresponding 
thereto: 

a false polling circuit adapted lo be operatively 
coupled to the plurality of data entry ports, the 
false polling circuit providing a false polling sig- 
nal to the plurality of data entry ports tor at least 
one of: {\\ producing a false indication that a da- 
ta signal is being received by at least one ol the 
plurality of data entry ports and (ii) producing a 


35 6. The secured processor as defined by claim 1 
wherein the single electronic chip is encapsulated 
within a multilayer circuit board. 
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55 


7. The secured processor as defined by claim 1 further 
comprising: 

a control circuit operatively coupled to the ac- 
tual polling circuit and the false polling circuit, the 
control circuit instructing at least one of the actual 
polling circuit and the false polling circuit to poll the 
plurality ot data entry ports. 

8. A secured processor as defined by claim 7 wherein 
the control circuit includes a timer circuit, the timer 
circuit providing an indication to the control circuit 
for instructing at least one of the actual polling circuit 
and false polling circuit to poll the plurality of data 
entry ports. 

9. The secured processor as defined by claim 1 further 
comprising 

a memory circuit operatively coupled to the 
actual polling circuit and the data encoding device 
the memory circuil being responsive to and storing 
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at least one signal related to the actual polling circuit 
output signal 

1 0. The secured processor as defined by claim 1 further 
comprising: 

a power-up switch operatively coupled to a 
power supply and to at least one of the actual polling 
circuit, false polling circuit and data encoding de- 
vice, the power-up switch being responsive to a 
physical tampering of the secured processor and at 
least temporarily interrupting the operative coupling 
of the power supply lo at least one of the actual poll- 
ing circuit, false polling circuit and data encoding 
device. 

11. The secured processor as defined by claim 1 
wherein the actual polling circuit includes a signal 
generator for providing an actual polling signal to 
the plurality of data entry ports: and 

wherein the false polling circuit includes a sig- 
nal generator for providing a false polling signal to 
the plurality of data entry ports. 

12. The secured processor as defined by claim 11, 
wherein respective signal generators which provide 
at least one of the actual polling signal and the false 
polling signal generate pulsed signals. 

13. The secured processor as defined by claim 12 
wherein respective signal generators control the 
pulsed signals' to vary in width. 

14. The secured processor as defined by claim 12, 
wherein the actual polling circuit signal generator 
controls the actual polling signal such that time be- 
tween each of the plurality of pulsed actual polling 
signals varies. 

15. The secured processor as defined by claim 12. 
wherein the false polling circuit signal generator 
controls the false polling signal such that time be- 
tween each of the plurality of pulsed false polling 
signals varies 

16. The secured processor as defined by claim 1 
wherein the false polling circuit further comprises: 

a second memory circuit for storing a signal 
indicative of al least one of the plurality of data entry 
ports to be provided with the false polling signal. 

17. A secured processor for use with a plurality of data 
entry ports which receive data signals, the secured 
processor comprising: 

an actual polling circuit adapted to be opera- 
tively coupled lo the plurality of data entry ports 
for conducting actual polling the actual polling 
circuit providing a plurality of actual polling sig- 


nals for monitoring each of the plurality of data 
entry ports to determine whether data signals 
are being received, the actual polling circuit 
identifying the data entry ports receiving data 
s signals and generating an output signal corre- 

sponding thereto: and 

a false polling circuit adapted to be operatively 
coupled to the plurality of data entry ports, the 
false polling circuit providing a plurality of false 

10 polling signal to the plurality of data entry ports 

for at least one of: (i) producing a simulation 
that a data signal is being received by at least 
one of the plurality of data entry ports and (ii) 
masking the actual polling signal being provid- 

75 ed to the plurality of data entry ports. 

18. A secured processor as defined by claim 17 where- 
in the actual polling circuit includes a signal gener- 
ator circuit for generating the actual polling signal 

20 and the false polling circuit includes a signal gener- 
ator circuit for generating the false polling signal, 
and wherein at least one of the actual polling signal 
and the false polling signal has a controlled dura- 
tion. 

25 

19. A secured processor as defined by claim 1 8 where- 
in the actual polling circuit signal generator varies 
a time elapsed between each of the plurality of ac- 
tual polling signals 

30 

20. A secured processor as defined by claim 1 8. where- 
in the false polling circuit signal generator varies a 
time elapsed between each of the plurality of false 
polling signals. 

35 

21. A secured processor as defined by claim 18 where- 
in the actual polling circuit signal generator controls 
the width of each of the plurality of actual polling 
signals. 

40 

22. A secured processor as defined by claim 1 8. where- 
in the false polling circuit signal generator controls 
the width of each of the plurality of false polling sig- 
nals. 

45 

23. A method of providing a secured transmission of ac- 
tual data signals received by a keypad ol a transac- 
tion terminal to a processor which is external lo the 
transaction terminal the method comprising the 

so steps of: 

a) polling the keypad lo determine whether ac- 
tual data signals arc being provided thereto: 

b) polling the keypad to provide a false indica- 
55 tion that at least one of (i) actual data signals 

are being provided thereto and (ii) actual polling 
of the transaction terminal is occurring and 

c) encoding the actual data signals and trans- 
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mitting the encoded data signals to the external 
processor. 

24. The method of providing a secured transmission as 
defined by claim 23, wherein the sampling of the s 
transaction terminal in step (a) is performed ran- 
domly. 

25. The method of providing a secured transmission as 
defined by claim 23, wherein the sampling of the 10 
transaction terminal in step (b) is performed ran- 
domly. 

26. The method of providing a secured transmission as 
defined by claim 23, the method further comprising *s 
the step of; 

performing a random time delay prior to trans- 
mitting the encoded data signal to the processor 

27. A dala enlry system comprising: 20 

a keypad having a plurality of key switches, 
each of the plurality of key switches selectively 
electrically coupling at least one of a plurality of 
row conductors and at least ono of a plurality 25 
of column conductors: and 
a secured processor circuit adapted to be op- 
eratively coupled to each of the plurality of row 
and column conductors of the keypad, the se- 
cured processor including: 30 

(i) an actual polling circuit adapted to be op- 
erativefy coupled to each of the plurality of 
row and column conductors for conducting 
actual polling, the actual polling circuit pro- 35 
viding an actual polling signal on at least 
one of the plurality of row and column con- 
ductors lor detecting actuation of a key 
switch, the actual polling circuit providing 

an actual polling circuit output signal indie- -to 
ative ol which particular key switch from 
among said plurality of key switches has 
been actuated: 

(ii) a false polling circuit adapted to be op- 
eratively coupled to each of the plurality ol -*5 
row and column conductors, the false poll- 
ing circuit providing a false polling signal on 

at least one of the plurality ol row and col- 
umn conductors for providing at least one 
of; (i) simulation that a particular one of said so 
plurality of key switches has been activated 
and (ii) masking the actual polling of the da- 
ta entry ports by tho actual polling circuit: 
and 

(iii) a dala encoding circuit adapted to be 55 
operatively coupled to the actual polling cir- 
cuit and being responsive to a signal relat- 
ed to the actual polling circuit outpul signal. 


the data encoding circuit encoding a signal 
related to the actual polling circuit output 
signal and generating an encoded signal 
for transmission external to the data entry 
keypad system. 

28. A data entry system as defined by claim 27 wherein 
the actual polling signal and the false polling signal 
are pulsed signals. 

29. A data entry system as defined by claim 28 further 
comprising a signal generator wherein the signal 
generator controls an elapsed time between each 
of the actual polling signals. 

30. A data entry system as defined by claim 28 further 
comprising a signal generator wherein the signal 
generator controls an elapsed time between each 
of the false polling signals varies. 

31. A dala entry system as. defined by claim 27 further 
comprising: 

an auxiliary processor operatively coupled to 
the secured processor for receiving the encoded 
signal and transmitting tho encoded signal external 
to the data entry keypad system. 

32. A data entry system as defined by claim 27 further 
comprising: 

a card reader circuit operatively coupled to the 
secured processor, the card reader circuit providing 
an indication to the secured processor of activation 
of the data entry keypad system by a user. 

33. A data entry system as defined by claim 32 further 
comprising: 

an interface circuit operatively coupled be- 
tween the secured processor and the card reader 
circuit, the interface circuit providing an interface for 
operable communication between the card reader 
circuit and the secured processor 

34. A secured processor for use with a plurality of data 
entry ports which receive data signals, the secured 
processor comprising: 

actual polling means operatively coupled to the 
plurality of data entry ports lor conducting ac- 
tual polling the actual polling means providing 
an actual polling means signal for monitoring 
each of the plurality of data entry ports to de- 
termine whether data signals are being re- 
ceived, tho actual polling means identifying the 
data entry ports receiving data signals and gen- 
erating an output signal corresponding thereto: 
false polling means operatively coupled to the 
plurality of data entry ports for providing a false 
polling means signal to the plurality of data en- 
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try ports for at least one of (i) producing a false 
indication that a data signal is being received 
by at least one of the plurality of data entry ports 
and (ii) producing a false indication that actual 
polling of the plurality of data entry ports is oc- 5 
curring; and 

data encoding means operatively coupled to 
the actual polling means for responding toa sig- 
nal related to the actual polling means output 
signal, the data encoding means encoding a io 
signal related to the data signal and generating 
an encoded signal for transmission external to 
the secured processor. 
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